29-06-2009, 07:13 PM
|
 |
Dedicated Member
Loyal Contributor
|
|
Join Date: Apr 2005
Posts: 1,612
|
|
re: [Resolved] Slow Computer
Ok I downloaded Combofix from the first link [the one on the left] and when I tried to run it I got the message attached below. A download from the other link didn't give that message. I just thought that you should know. Here are the logs you said to post. Now I ask you is it clean or do I have to do something else? BTW the computer is an emachines T2484 with a 2.4 ghz intel celeron, 256 mb of ram, an 80 gb hdd with 62.2 gb free, and intel extreme graphics 3d. With the exception of the ram (  ), not a bad computer for all that they need. To be sure I deleted all of the restore points. I know that you'll probably say that that was unnecessary but I wanted to be sure.
Combofix
Quote:
ComboFix 09-06-29.01 - Terry Gentry 06/29/2009 12:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.83 [GMT -5:00]
Running from: c:\documents and settings\Terry Gentry\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Johnny Gentry\Favorites\.url
C:\lswmv.ini
c:\program files\Common Files\curity~1
c:\program files\Common Files\dobe~1
c:\program files\Common Files\smbols~1
c:\program files\Common Files\uninstall information
c:\program files\Common Files\wnsxs~1
c:\windows\crosof~1
c:\windows\fnts~1
c:\windows\stem32~1
c:\windows\system32\fnts~1
c:\windows\system32\uninstall.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SVCPROC
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-29 )))))))))))))))))))))))))))))))
.
2009-06-29 14:15 . 2009-06-29 14:15 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-27 18:26 . 2009-06-27 18:26 -------- d-----w- c:\program files\Trend Micro
2009-06-27 18:13 . 2009-06-27 18:13 -------- d-----w- c:\docume~1\TERRYG~1\APPLIC~1\Malwarebytes
2009-06-27 18:12 . 2009-06-27 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-25 19:52 . 2009-06-25 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-25 19:51 . 2009-06-25 21:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-25 19:51 . 2009-06-25 19:51 -------- d-----w- c:\docume~1\TERRYG~1\APPLIC~1\SUPERAntiSpyware.com
2009-06-25 19:51 . 2009-06-25 19:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-25 19:12 . 2009-06-25 19:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-23 20:58 . 2009-06-23 20:58 -------- d-----w- c:\program files\CCleaner
2009-06-23 20:50 . 2009-06-27 19:55 -------- d-----w- c:\program files\MSECACHE
2009-06-12 16:57 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-12 16:57 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-06 16:10 . 2009-06-06 16:10 -------- d-----w- c:\docume~1\TERRYG~1\APPLIC~1\aAvgApi
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-29 17:27 . 2005-11-03 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-25 20:07 . 2005-02-08 01:15 -------- d-----w- c:\program files\Microsoft Games
2009-06-25 19:28 . 2009-05-12 19:55 -------- d-----w- c:\program files\Java
2009-06-13 08:19 . 2009-02-09 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-13 13:33 . 2005-07-19 18:16 -------- d-----w- c:\documents and settings\Johnny Gentry\Application Data\Lavasoft
2009-05-13 05:15 . 2004-02-06 23:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 20:32 . 2009-05-11 20:32 -------- d-----w- c:\program files\AVG
2009-05-11 20:25 . 2009-05-11 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-11 20:19 . 2009-05-11 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-11 20:19 . 2005-01-29 23:45 -------- d-----w- c:\program files\Yahoo!
2009-05-11 20:19 . 2009-05-11 20:19 -------- d-----w- c:\docume~1\TERRYG~1\APPLIC~1\Yahoo!
2009-05-11 19:51 . 2003-05-31 16:40 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-11 19:50 . 2009-03-03 14:55 -------- d-----w- c:\docume~1\TERRYG~1\APPLIC~1\Move Networks
2009-05-11 19:49 . 2003-05-31 16:38 -------- d-----w- c:\program files\Microsoft Works
2009-05-11 19:40 . 2006-07-20 00:22 -------- d-----w- c:\program files\Common Files\Scanner
2009-05-11 19:37 . 2003-05-31 16:41 -------- d-----w- c:\program files\ICQ
2009-05-07 15:32 . 2003-05-31 16:13 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2003-05-31 16:13 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-04-16 15:50 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2005-09-02 16:15 . 2005-01-14 16:53 475 -csh--w- c:\windows\system32\imfi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86 \3\hpztsb04.exe" [2006-01-13 196608]
"EPSON Stylus CX5400"="c:\windows\System32\spool\DRIVERS\W32X86\ 3\E_S4I2G1.EXE" [2003-05-27 99840]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \SAGENT4.EXE"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
S3 bDMusicb;bDMusicb;\??\c:\docume~1\CODYGE~1\LOCALS~ 1\Temp\bDMusicb.sys --> c:\docume~1\CODYGE~1\LOCALS~1\Temp\bDMusicb.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [1/19/2004 10:05 PM 72576]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder
2009-06-29 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-05-31 16:04]
2009-06-28 c:\windows\Tasks\User_Feed_Synchronization-{B70EC5FC-6D46-4E7F-8CBE-1CB32099EF79}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-Run-Eaut - c:\progra~1\COMMON~1\CURITY~1\explorer.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = hxxp://www.sandboxer.com/redirect.aspx?ID=21&MID=4L9T23T3HR%23BMD3EHB%406H2 FR727%232S%23H%23KQ4MT%40C%23W
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-29 12:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF1 E4638-637F-499D-8309-FD71B9750ABC}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF1 E4638-637F-499D-8309-FD71B9750ABC}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF1 E4638-637F-499D-8309-FD71B9750ABC}\TypeLib]
@DACL=(02 0000)
@="{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{AFDBB 222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0]
@DACL=(02 0000)
@="AMNotifier 1.0 Type Library"
[HKEY_LOCAL_MACHINE\software\itbill\CONFIG]
@DACL=(02 0000)
"url"="u}G<<{|vsvr;nyovyy;p|z<{|vsvr<{|vsv r?;ptvLp|{svtJhP\\[SVTj3t‚vqJhTbVQj3}|q‚pJh]_\\cj3zrnJhZRaNQNaNj3Jha_NSSVPlaf]Rj3u‚onJ>"
"domain"=""
"tracker"=""
"updates"=""
"val1"=dword:00000000
"val2"=dword:0036ee80
"val3"=dword:00000000
"val4"=dword:00002710
"activity"=dword:00000001
"last"=dword:4432e03d
"freeze"=dword:00000000
[HKEY_LOCAL_MACHINE\software\itbill\FSUPPORT]
@DACL=(02 0000)
"install_date"="2005-11-12"
"install_time"="13:23"
"ip_addr"="12.222.169.98"
"user_country"="US"
"dir_country"="US"
"userid"="61339790"
"cid"=""
"guid"="OI3AC/E9KA3FKSDHIU1MJJYE9MT514RD"
"ts"="pythonexit"
"tss"="redplayer2"
"idelta"="125"
"traffic_type"="A"
"altpay"="1"
"product"="movieland"
[HKEY_LOCAL_MACHINE\software\itbill\UPDATE]
@DACL=(02 0000)
"Module"=dword:443297ef
"Config"=dword:443297f7
[HKEY_LOCAL_MACHINE\software\MediaPipe\Prefs]
@DACL=(02 0000)
"version"="3"
"AltPayments"="movieland"
"ProductFamily"="movienetworks"
"Country"="US"
"Provider"="MovieLand"
"TRAFFIC_COUNTRY"=""
"TRAFFIC_PROGRAM"=""
"TRAFFIC_SOURCE"="pythonexit"
"TRAFFIC_SUBSOURCE"="redplayer2"
"JOIN_FORM_ID"="150"
"modem"=""
"GUID"="OI3AC/E9KA3FKSDHIU1MJJYE9MT514RD"
"Filename"="c:\\Program Files\\MediaPipe\\MediaPipe.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(4000)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wdfmgr.exe
.
************************************************** ************************
.
Completion time: 2009-06-29 12:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-29 17:56
Pre-Run: 66,860,650,496 bytes free
Post-Run: 66,817,626,112 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
206
|
New Hjackthis
Quote:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:56 PM, on 6/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G 1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sandboxer.com/redirect.as...3KQ4MT%40C%23W
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstan ce.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G 1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 4668 bytes
|
Last edited by townsbg; 10-07-2009 at 05:57 AM.
|